Splunk Search

How to extract a string with length, based on the value of another field?

Naren26
Path Finder

These are some sample of my logs : "07PRIVATE" or "06SAMPLE" OR "08EXAMPLES"

The first two digits are the length of the string which follows the digits. Hence, I need to form the query based on the first field's (2 digits's) value. I tried the following regex:

(?<StringLength>\d{2})(?<MyString>\w{StringLength})

I could clearly see that the above regex is wrong. Please suggest how this can be done.

0 Karma

Naren26
Path Finder

All the comments for this post helped me to solve the problem, but I had to make few changes in their regex to suit all different combinations. Following is my regex:

(?<StringLength>\d{2})(?<MyString>\w[a-z|A-Z|\s|0-1]*) | eval MyString=substr(MyString,1,StringLength)

The [a-z|A_Z|0-1]* part will match the string even if it has any spaces in between.

For eg, if my string is "08PRI VATE" , it will match the "PRI VATE" in my regex. By not adding the above change, it only matched "PRI" and stopped whenever any space is there.

Thank you all for your suggestions.

0 Karma

cpetterborg
SplunkTrust
SplunkTrust

Your use of the pipe symbol inside the square brackets is wrong. You do NOT need the pipe. By placing it in there you are including that character in the set of characters to match.

The \w before the square brackets may also not be needed, since it is the set of [a-zA-Z0-9_] characters which would be covered by what you have in the square brackets already.

I'm not trying to be picky about your solution, just trying to help clean it up. 🙂

493669
Super Champion

Does it giving you expected output as I tried this:

|makeresults|eval _raw="07PRI VATE"|rex "(?<StringLength>\d{2})(?<MyString>\w[a-z|A_Z|0-1]*)"| eval MyString=substr(MyString,1,StringLength)

It gives me MyString as only "P"
else try something like this:

|makeresults|eval _raw="07PRI VATE"|rex "(?<StringLength>\d{2})(?<MyString>.*)"| eval MyString=substr(MyString,1,StringLength)
0 Karma

mayurr98
Super Champion

Try this run anywhere search

| makeresults 
| eval raw="07PRIVATE,06SAMPLE,08EXAMPLES" 
| makemv raw delim="," 
| mvexpand raw 
| rex field=raw "(?<StringLength>\d{2})(?<MyString>\w+)"

In your environment, you should write

<your_base_Search> | rex field=_raw "(?<StringLength>\d{2})(?<MyString>\w+)"

let me know if this helps!

493669
Super Champion

Hi @Naren26,
Try this:

|rex "(?<StringLength>\d{2})(?<MyString>\w+)"| eval MyString=substr(MyString,1,StringLength)

Try run this anywhere search:

|makeresults|eval _raw="07PRIVATE"|rex "(?<StringLength>\d{2})(?<MyString>\w+)"| eval MyString=substr(MyString,1,StringLength)

Naren26
Path Finder

The eval part helped me to solve the problem. But it needed a small change which I mentioned in my answer. Thanks @493669 !

0 Karma

Naren26
Path Finder

I am running into another issue by using eval method. If I have string after MyString then this will create problems. For eg., If I have the log 07PRIVATEStationSt1256, how can I get the value "PRIVATE" only.

Because, since we are taking substring in eval, it will extract all the values after 07 and take the substring in eval. Hence, I could not able to extract the string StationSt and 256.

Is there any other alternative or we can modify the eval method itself?

0 Karma

493669
Super Champion

as per your question you want to extract the string upto lenght which is specified in mystring first digits?
so in 07PRIVATEStationSt1256 it will extract only 7 length string which will be PRIVATE so are you expecting something else?

0 Karma

Naren26
Path Finder

Yes, I need to extract the string with length based on the digits before that. But as per the following query,

|makeresults|eval _raw="07PRIVATEStationSt1256"|rex "(?\d{2})(?\w+)(?\w+)(?\d{3})"| eval MyString=substr(MyString,1,StringLength)

the modifier MyString will take "PRIVATEStationSt1256" and take the substring of length 07 from the original MyString value. I mean, since the taking the substring after the rex command causes the error. This is wrong.

Because, If the MyString value extracts "PRIVATEStationSt1256" , then the value for StationName and StationId will be empty.

I hope you understand what is the issue here.

0 Karma

493669
Super Champion

You haven't mentioned any capture group so I dont think your rex will work....
try this:

|makeresults|eval _raw="07PRIVATEStationSt1256"|rex "(?<StringLength>\d{2})(?<MyString>\w+)"| eval MyString=substr(MyString,1,StringLength)

but still unable to get what you are trying to say....if your raw is PRIVATEStationSt1256 then what output you are expecting in MyString

0 Karma

Naren26
Path Finder

I need the extract the following values:

StringLength = 07
MyString = PRIVATE
StationName = StationSt
StationId = 1256

I have used the following query:

|makeresults|eval _raw="07PRIVATEStationSt1256"|rex "(?<StringLength>\d{2})(?<MyString>\w+)(?<StationName>\w+)(?<StationId>\d{4})" |  eval MyString=substr(MyString,1,StringLength)

In the above query, the value MyStrng will always extracted correctly as expected. But the value StationName is not correct. Try removing the eval statement and run the above query. You will get to know what is the issue I am talking about.

0 Karma

493669
Super Champion

hey, try this regex:

|makeresults|eval _raw="07PRIVATEStationSt1256"|rex "(?<StringLength>\d{2})(?<MyString>[A-Z,a-z]+)(?<StationId>\d{4})"|  eval MyString1=substr(MyString,1,StringLength), StationName=substr(MyString,StringLength+1)
0 Karma

horsefez
Motivator

Hi Naren26,

it's not possible to extract a variable number out of a regular expression and use it in it.

Why not give this one a try.
(?<StringLength>\d{2})(?<MyString>\w+)
OR
(?<StringLength>\d{2})(?<MyString>[^\s]+)

493669
Super Champion

after your log what data is present i.e. after "07PRIVATE" what string is present?
Could you please provide sample events

0 Karma
Get Updates on the Splunk Community!

Monitoring Postgres with OpenTelemetry

Behind every business-critical application, you’ll find databases. These behind-the-scenes stores power ...

Mastering Synthetic Browser Testing: Pro Tips to Keep Your Web App Running Smoothly

To start, if you're new to synthetic monitoring, I recommend exploring this synthetic monitoring overview. In ...

Splunk Edge Processor | Popular Use Cases to Get Started with Edge Processor

Splunk Edge Processor offers more efficient, flexible data transformation – helping you reduce noise, control ...